Both FERPA and the COPPA Rule presume that schools have the resources and knowledge to assess their own data security practices, to say nothing of that of their vendors. Emerging evidence suggests that this presumption should be challenged. The FTC and ED can take affirmative action to improve the security with which schools and their vendors treat student data.

It is inevitable that the education sector will experience data breaches and be subject to cyberattacks. One recent phishing attack has become so widespread and so damaging that the Internal Revenue Service (IRS) itself has issued public guidance for schools on how to respond. Please share this information widely, educate yourself, and work with your schools to mitigate the risks of handling personal data of school employees, students, and their families.

Select state government audits of school district IT security procedures find a concerning state of affairs. State departments of education should adopt and promulgate digital security expectations and best practices for schools, provide technical assistance and resources to districts to support implementation, and conduct regular audits to ensure compliance.